1

I've been reading a blog post and I saw something which says JS Encoding Vulnerability. In the sample code below, if the user enters something like this :

\x3cscript\x3e%20alert(\x27pwnd\x27)%20\x3c/script\x3e, it says JS will render it as HTML which looks odd to me. I tried it and he was right. 

@{
    ViewBag.Title = "Home Page";
}

<h2 id="welcome-message">Welcome to our website</h2>

@if(!string.IsNullOrWhiteSpace(ViewBag.UserName)) {
<script type="text/javascript">
    $(function () {
        //ViewBag.Username value comes from Controller.
        var message = 'Welcome, @ViewBag.UserName!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>
}

My question is, why Javascript decodes already encoded string automatically? Or it does have something with jQuery's html() function which does that? The OP says use Ajax.EncodeJavascriptString() method in order to solve this problem. But why will I need to encode already encoded string? I checked jQuery's website and it doesn't mention anything like that for html() method.

If you like to see the whole blog post, please visit this address http://weblogs.asp.net/jgalloway/archive/2011/04/28/preventing-javascript-encoding-xss-attacks-in-asp-net-mvc.aspx

Improve this question
4
  • Perhaps I miss the ASP.NET bits (I'm not a .NET programmer) but I don't understand why you should use .html() to inject plain text. Commented Feb 19, 2013 at 16:03
  • Imagine we are injecting some markup along with the username. Commented Feb 19, 2013 at 16:14
  • a) how do you get that string? b) how will the output look (I'm no ASP programmer), does it just replace @ViewBag.UserName with the plain, unescaped string? Commented Feb 19, 2013 at 17:41
  • @Bergi Could you please check the URL I gave in the question. It explains where that comes from. Commented Feb 19, 2013 at 17:52

1 Answer 1

Reset to default
3

Have a look at the HTML result:

<script type="text/javascript">
    $(function () {
        var message = 'Welcome, \x3cscript\x3e alert(\x27pwnd\x27) \x3c/script\x3e!';
        $("#welcome-message").html(message).hide().show('slow');
    });
</script>

Yet, that JS string contains some character escape sequences and is equal to

'Welcome, <script> alert("pwnd") </script>!'

So, we want to escape these escape sequences (including simple things like \n or \t) as well as the JS string delimiters ' and " - by using @Encoder.JavaScriptEncode.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I will review the link you gave. Thanks for the answer!
Just to add to this answer: the reason this happens is that the @ syntax in .cshtml / .vbhtml files is not context-aware. It performs only HTML-encoding. For all other encoding types (such as Javascript or CSS), the page author must make an explicit call to the correct encoding routine, as in Bergi's solution.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.